Hardware access and monitoring control

ABSTRACT

Various embodiments described and illustrated here include one or more of systems, methods, software, and data structures that may be used to implement policies for hardware access and monitoring control in concert with a premises security system that controls ingress and egress of a facility. One embodiment includes identifying when certain devices are removed or decoupled from a computer and preventing one or more users of that computer from leaving a facility within which the computer is located.

RELATED APPLICATION

This application is related to and is a continuation application ofapplication Ser. No. 12/132,045, filed Jun. 3, 2008, entitled “HARDWAREACCESS AND MONITORING CONTROL”, to which priority is claimed and theentirety of which is incorporated herein by reference.

BACKGROUND INFORMATION

Data security is an important issue for many companies that develop andmaintain proprietary and confidential data in electronic form. Users ofcomputers that have access to such data can typically connect anyhardware they desire to their computers and use it. As a result, usersmay connect devices to their computers and copy data or provide othersaccess the data. For example, a user may connect a wireless networkingcard to a computer and connect to an outside network to provideunauthorized access to systems and data. Though such actions may becaught by surveillance, there currently are no mechanisms to preventsuch actions.

SUMMARY

One embodiment in the form of a method includes obtaining deviceproperty data from each device coupled to a system and determining ifeach device is a device authorized for use with the system. Suchembodiments further include allowing only devices authorized for usewith the system to be accessed by processes of the system.

Another embodiment includes maintaining a list of devices coupled to acomputer and determining if each device in the list is communicativelycoupled to the computer. Upon determining a device in the list is notphysically coupled to the computer, such embodiments send a notice thatthe device is not communicatively coupled to the computer.

Some embodiments, in the form of a system, may include a system having abus coupled to a network interface, a peripheral device, and a processorincluding an out-of-band controller. The out-of-band controller isoperable when the system is turned off to receive a request from arequestor over the network interface to determine if the peripheraldevice is coupled to the bus and to request and receive, over the bus,property data from the peripheral device. The out-of-band controllerfurther compares the property data to known property data of theperipheral device to confirm the peripheral device has expectedproperties and send data to the requestor, the data identifying if theperipheral device has the expected properties.

Another system embodiment includes a bus coupled to a memory and aprocessor. A device driver in such embodiments includes code operable onthe processor to retrieve property data from a peripheral uponconnection to the bus and determine if the peripheral device isauthorized for use with the system. The device driver initializes aperipheral device if the peripheral device is authorized.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 is a logical schematic diagram of a system according to anexample embodiment.

FIG. 2 is a logical block diagram of a networked system according to anexample embodiment.

FIG. 3 is a block flow diagram of a method according to an exampleembodiment.

FIG. 4 is a block flow diagram of a method according to an exampleembodiment.

FIG. 5 is a block flow diagram of a method according to an exampleembodiment.

FIG. 6 is a block flow diagram of a method according to an exampleembodiment.

DETAILED DESCRIPTION

Various embodiments described and illustrated here include one or moreof systems, methods, software, and data structures that may be used toimplement policies for hardware access and monitoring control. Someembodiments may be implemented to limit devices which may be used withcomputing devices within an organization. These and other embodimentsmay also be used to monitor what hardware is connected to computerswithin an organization and to determine if and when hardware policieshave been violated. Some embodiments may be operably interconnected withpremises security systems to help prevent removal of hardware devicesfrom a premises secured by such a system. These and other embodimentsare described herein with reference to the drawings.

In the following detailed description, reference is made to theaccompanying drawings that form a part hereof, and in which is shown byway of illustration specific embodiments in which the inventive subjectmatter may be practiced. These embodiments are described in sufficientdetail to enable those skilled in the art to practice them, and it is tobe understood that other embodiments may be utilized and thatstructural, logical, and electrical changes may be made withoutdeparting from the scope of the inventive subject matter. Suchembodiments of the inventive subject matter may be referred to,individually and/or collectively, herein by the term “invention” merelyfor convenience and without intending to voluntarily limit the scope ofthis application to any single invention or inventive concept if morethan one is in fact disclosed.

The following description is, therefore, not to be taken in a limitedsense, and the scope of the inventive subject matter is defined by theappended claims.

The functions or algorithms described herein are implemented inhardware, software or a combination of software and hardware in oneembodiment. The software comprises computer executable instructionsstored on computer readable media such as memory or other type ofstorage devices. Further, described functions may correspond to modules,which may be software, hardware, firmware, or any combination thereof.Multiple functions are performed in one or more modules as desired, andthe embodiments described are merely examples. The software is executedon a digital signal processor, ASIC, microprocessor, or other type ofprocessor operating on a system, such as a personal computer, server, arouter, or other device capable of processing data including networkinterconnection devices.

Some embodiments implement the functions in two or more specificinterconnected hardware modules or devices with related control and datasignals communicated between and through the modules, or as portions ofan application-specific integrated circuit. Thus, the exemplary processflow is applicable to software, firmware, and hardware implementations.

FIG. 1 is a logical schematic diagram of a system 100 according to anexample embodiment. The example system 100 includes severalinterconnected components that provide a computing environment withinwhich software may be executed. The components may include, withoutlimitation, a central processor 102 and random access memory 106 coupledto a memory control hub 104. The memory control hub 104 is also coupledto an I/O control hub 108. Coupled to the I/O control hub 108 is anetwork interface 109, an out-of-band controller 110, and one or morememories including at least one non-volatile memory, such as a flashmemory 116. Other memory and storage devices may also be coupled to theI/O control hub 108, such as one or more hard disk, floppy disk,writable optical disk, a Universal Serial Bus (“USB”) controller whichmay optionally include a USB storage device, and other writable datastorage devices. One or more display circuits, such as graphic cards orcircuits may also be coupled to the I/O control hub 108.

The out-of-band controller 110 includes a microprocessor 112 and one ormore memories 114 including one or more non-volatile memories. Theout-of-band controller 110 may also be referred to as a manageabilityengine. The out-of-band controller 110 typically operates when a powersource is available to the system 100. This includes even when thesystem 100 is powered off yet still plugged into a power source.

When a power supply is applied to the system 100, such as by plugging ina power cord of the system 100, the out-of-band controller 110initializes. The initialization of the out-of-band controller 110 mayinclude the out of band controller accessing an instruction set storedin a non-volatile memory, such as the flash memory 116 or a memory 114within the out-of-band controller 110. The instruction set is executedby the microprocessor 112 to perform several functions. One suchfunction may include initializing the network interface 109. The networkinterface 109 is typically a wired network interface device such as anEthernet card or Ethernet circuit embedded in a board of the system 100.In some embodiments, the network interface 109 may be a wireless networkinterface, such as a WiFi or WiMax enabled wireless network interfacedevice. Initializing the network interface 109 typically includesstarting the network interface 109 and loading a network communicationstack, such as a TCP/IP stack, to facilitate use of the networkinterface 109 by the out-of-band controller 110.

Another function facilitated by the out-of-band controller 110instruction set is the ability to receive a request from a requestorover the network interface 109 to determine if one or more devices arecoupled to the system 100. Such as request may originate with anadministrator, a process of a premises security system that may be usedto monitor and enforce security within a facility within which thesystem 100 is housed, or other logical or human user initiated process.The out-of-band controller 110 instruction set may then request andreceive property data from one or more devices coupled to the system100. The property data may include data identifying each device type anda serial number of each respective device. The property data may then beused by the out-of-band controller 110 instruction set to compareagainst stored property data of devices expected to be present withinthe system 100 to confirm that each device that is expected to bepresent is in fact present and the actual device expected based on theserial number or other data that is unique to a particular device. Theinstruction set of the out-of-band controller 110 may then send data tothe requestor indicating whether or not all expected devices arepresent. The data sent to the requestor may also identify one or more ofdevices that are not present and devices that are present but notexpected.

The system 100 may also include an instruction set stored in a datastorage device coupled to the I/O control hub 108 or other portion ofthe system 100. The instruction set is typically loaded into the RAM 106and executed by the central processor 102. The instruction set, in someembodiments, includes instructions executable on the central processor102 to obtain property data from devices coupled to the system, such asthe network interface 109, data storage devices coupled to the system100 such as a hard disk or a USB storage device when connected, andother devices, such as Peripheral Component Interconnect (“PCI”) typedevices. The instruction set is further executable in such embodimentsto determine if each device is a device authorized for use with thesystem 100 and/or by a user of the system 100. The instruction set maythen allow or prevent use of individual devices based on thedetermination if each device is authorized for use. For example, theinstruction set may prevent use of the network interface 109. In someembodiments, the instruction set may allow a limited set of functions tobe performed with individual devices, such as allowing reads from a harddisk, but not allow writes to the hard disk.

FIG. 2 is a logical block diagram of a networked system 200 according toan example embodiment. The system 200 includes clients 202, 204 andanother client 206 of an administrator. The client 206, in variousembodiments, may be a network administrator, system administrator, amanager of an employee using another of the clients 202, 204.

The clients 202, 204, 206 are coupled to a network 208. The network 208may include one or more of a local area network, the Internet, a widearea network, a system area network. The network 208 typically includeswired connections, but may also include wireless connections.

In some embodiments, both client 202 and client 204 include a datastructure identifying devices that are authorized for use on therespective clients 202, 204. This data structure may be locally storedon each client 202, 204 or may be retrieved from a network 208 storagelocation, such as a client system device authorizations database and log210. In some embodiments, the data structure identifying authorizeddevices includes property data of each authorized or excluded devicethat may be used to identify particular devices. This property data mayinclude a serial number of a device or other device property data thatmay be used to uniquely identify a device. The data structure mayfurther include permission data associated with each device identifiedin the data structure. For example, the permission data may specify adevice or devices of a certain type, such as USB storage devices, maynot be allowed to operate with the client 202, 204. The permission datamay alternatively authorize one or more of reading and writing data to astorage device, such as a hard disk, optical drive, or other storagedevice.

In some embodiments, the permissions of the data structure may beimplemented by Basic Input-Output System (“BIOS”) logic when the clients202, 204 are started. In such embodiments, the BIOS may preventunauthorized devices from being initialized. The BIOS may also redirectinterrupts directed toward such devices to be redirected or ignored. Inthese, and other embodiments, the permissions of the data structure mayalso or alternatively be implemented by device drivers of devicesidentified in the permissions data structure. Such a device driver, wheninitializing a respective device, may query the data structure to obtainpermission data relevant to the particular device. The driver may thenprevent the device from being accessed if it is an unauthorized device.However, the device driver may also allow only certain types of actions.For example, if the permissions data identifies that the particulardevice may only be read from, all writes sent to the device may beignored or an error returned.

In some embodiments, the BIOS, a device driver, or other software mayalso be operable upon demand, such as when a hot-pluggable device isadded or removed from a client 202, 204. In such events, when a deviceis added or removed from a client 202, 204, the software determines ifthe device is allowed and if any limited permissions need to beenforced. The software may retrieve device property data, compare theproperty data against the permissions data structure, and implement theappropriate permissions.

In some embodiments, the permissions data structure may also, oralternatively, identify one or more devices which must be present in aclient 202, 204. For example, a particular hard disk may be designatedas a required device. In the event that a required device is found to bemissing, the client 202, 204 may send a notice over the network 208 tothe client 206 of the administrator or manager and/or to the clientsystem device authorizations database and log 210 for tracking of suchviolations. A message may in some embodiments, such as in the event thata required device holds confidential, sensitive, secret, or othervaluable data. However, in other embodiments, a message identifying amissing piece of required hardware may be sent to a premises securitysystem 212 over the network.

The premises security system 212, in some embodiments, is a system usedto help secure a facility, such as an office within which the clients202, 204 are located. In the event that an item of hardware identifiedin the permissions data structure is determined to be missing, such asfrom client 202, the client 202 may send a message over the network 208to the premises security system 212. The premises security system 212may be aware of a user of the client 202 or the message may identify theuser of the client 202. the premises security system 212 may thenprevent the user from departing the office by preventing the user frompassing through a premises ingress/egress monitoring and control device214, such as a secured turnstile that may be activated by an access cardor other ingress/egress control device.

In further embodiments, when a user, such as the user of the client 202,attempts to pass through the premises ingress/egress monitoring andcontrol device 214 by swiping an access card, the premises securitysystem 212 may identify the client 202 of the user swiping the accesscard. The premises security system may then query the client 202 overthe network 208 to determine if all required hardware is present in theclient 202. The client 202 may include an out-of-band controller 110 asillustrated and described with regard to FIG. 1 or may include othersoftware to be responsive to such a query when the client 202 is poweredon. If the hardware is present on the client 202, such a message may bereturned to the premises security system 212 and the user is allowed topass through the ingress/egress monitoring and control device. If therequired hardware is not present, the user may be prevented from passingand further action may be taken by the premises security system 212,such as requesting for authorization form the client 206 of the manageror administrator or security personnel may called to attend to theidentified situation.

FIG. 3 is a block flow diagram of a method 300 according to an exampleembodiment. The method 300 is a method that may be used to implementlimited peripheral device permissions within a computer, such as accesspermissions of a user to a hard disk or network interface card. Themethod 300 includes obtaining 302 device property data from each devicecoupled to a system and determining 304 if each device is a deviceauthorized for use with the system. The method 300 further includesallowing 306 only devices authorized for use with the system to beaccessed by processes of the system.

The method 300 may further include retrieving data identifying one ormore devices authorized for use with the system for use in thedetermining 304. In such embodiments, the data identifying one or moredevices authorized for use may be retrieved from a database, such as theclient system device authorizations database and log 210 of FIG. 2 orother data storage location.

In some embodiments, allowing 306 only devices authorized for use withthe system to be accessed by processes of the system includes allowingthe processes of the system limited access to a particular device. Forexample, processes of the system may be able to read from a particulardevice, but prevented from writing to it. In other embodiments, a devicemay be written to but not read from. In further embodiments, suchlimited access includes allowing less than all of reading, writing,deleting, and updating data with regard to a particular device.

Further embodiments of the method 300 may include receiving anotification from a process of the system that a first device has beenremoved from communication with the system and sending a notice that thefirst device is no longer in communication with the system. Such anotice may be sent to a remote system and include data identifying thesystem and the first authorized device.

Obtaining 302 device property data from each device coupled to thesystem typically includes querying either the device directly or arepository of device data maintained by an operating system or virtualmachine manager of the system. For example, if the device is a USBdevice, the device may be queried directly to obtain propertyinformation such as data identifying a vendor of the device, the type ofdevice, a version of the device, and a serial number of the device. Inan operating system environment, such as a Microsoft Windows operatingsystem environment, various operating system application programminginterface methods may be available to obtain such information. Forexample, a PCI_EXPRESS_SERIAL_NUMBER capability call may be made withina Microsoft Windows environment to obtain the serial number of a PCIdevice. Other APIs may be present to obtain device property datadepending on the particulars and computing environment of the particularembodiment.

FIG. 4 is a block flow diagram of a method 400 according to an exampleembodiment. The method 400 is a method that may be implemented toenforce hardware access and monitoring control restrictions when ahot-pluggable device, such as a USB device, is added to a system whenalready booted. The method 400 includes receiving 402 a notificationfrom a process operable on the system that a new device has been coupledto the system and obtaining 404 device property data from the newdevice. The method 400 further includes determining 406 if the newdevice is a device authorized for use with the system and allowing 408processes of the system to access the new device only if the new deviceis determined to be authorized for use.

FIG. 5 is a block flow diagram of a method 500 according to an exampleembodiment. The method 500 may be performed by an out-of-band controlleras described and illustrated with regard to FIG. 1 or by another portionof a computing device, such as a desktop computer. The method 500includes receiving 502 a request from a requestor over the networkinterface to determine if the peripheral device is coupled to the bus.The received 502 request may be processed in some embodiments of themethod by requesting and receiving 504, over the bus, property data fromthe peripheral device and comparing 506 the property data to knownproperty data of the peripheral device to confirm the peripheral devicehas expected properties. The method 500 further includes sending 508data to the requestor, the data identifying if the peripheral device hasthe expected properties.

In some embodiments, the known property data of the peripheral device isstored in a non-volatile memory coupled to the bus and accessible by anout-of-band controller or other processing element of a computing deviceimplementing the method 500. The known property data of the peripheraldevice may include a serial number of the data storage device or otherdata that may be used to identify the peripheral device.

FIG. 6 is a block flow diagram of a method 600 according to an exampleembodiment. The method 600 includes maintaining 602 a list of devicescoupled to a computer and determining 604 if each device in the list iscommunicatively coupled to the computer. Upon determining a device inthe list is not physically coupled to the computer, the method 600includes sending 606 a notice that the device is not communicativelycoupled to the computer. The notice may be sent to a premises securitysystem that controls ingress and egress from a premises. In someembodiments, the notice includes data identifying one or more users ofthe computer.

In some embodiments, the method 600 may further include receiving arequest to determine if all devices included in the list of devices arecommunicatively coupled to the computer and send a response indicatingif any devices in the list of devices are not communicatively coupled tothe computer.

Other embodiments may include a peripheral device driver on a system,such as a system 100. The device driver in such embodiments is operableto retrieve property data from a peripheral device upon connection tothe bus, such as at system startup or upon a hot-plug event. The devicedriver in such embodiments is further operable to determine if theperipheral device is authorized for use with the system and toinitialize the peripheral device if it is authorized. In someembodiments, determining if the peripheral device is authorized includesdetermining if a serial number of the peripheral device included in theretrieved property data is included in a list of authorized peripheraldevices stored in the memory. The list of authorized peripheral devices,in such embodiments, may identify authorized functions that may beperformed with regard to the peripheral device. The authorized functionsmay include less than all of reading, writing, deleting, and updatingdata with regard to the peripheral device. In such embodiments, thedevice driver allows only authorized functions to be performed withregard to the peripheral device.

It is emphasized that the Abstract is provided to comply with 37 C.F.R.§1.72(b) requiring an Abstract that will allow the reader to quicklyascertain the nature and gist of the technical disclosure. It issubmitted with the understanding that it will not be used to interpretor limit the scope or meaning of the claims.

In the foregoing Detailed Description, various features are groupedtogether in a single embodiment to streamline the disclosure. Thismethod of disclosure is not to be interpreted as reflecting an intentionthat the claimed embodiments of the inventive subject matter requiremore features than are expressly recited in each claim. Rather, as thefollowing claims reflect, inventive subject matter lies in less than allfeatures of a single disclosed embodiment. Thus, the following claimsare hereby incorporated into the Detailed Description, with each claimstanding on its own as a separate embodiment.

It will be readily understood to those skilled in the art that variousother changes in the details, material, and arrangements of the partsand method stages which have been described and illustrated in order toexplain the nature of the inventive subject matter may be made withoutdeparting from the principles and scope of the inventive subject matteras expressed in the subjoined claims.

What is claimed is:
 1. A computer-readable medium, with instructionsthereon that are executable by a computer to: maintain a list of devicescoupled to a computer; determine if each device in the list iscommunicatively coupled to the computer; and upon determining a devicein the list is not physically coupled to the computer, send a noticeover a network via a network interface device of the computer to apremises security system that the device is not communicatively coupledto the computer, the premises security system controlling ingresses anegress from a premises within which the computer is located.
 2. Thecomputer-readable medium of claim 1, wherein the notice includes dataidentifying one or more users of the computer, the notice to cause thepremises security system to prevent egress from the premises of at leastthe one or more users of the computer.
 3. The computer-readable mediumof claim 1, wherein the device is a data storage device and the noticeincludes data identifying the data storage device.
 4. Thecomputer-readable medium of claim 1, with further instructions storedthereon that are further executable by an out-of-band controller of thecomputer when the computer is turned off.
 5. The computer-readablemedium of claim 1, wherein the list of devices coupled to the computerincludes at least one Peripheral Component Interface (“PCI”) device. 6.The computer-readable medium of claim 1, wherein the list of devicescoupled to the computer includes at least one Universal Serial Bus(“USB”) device.
 7. The computer-readable medium of claim 1, with furtherinstructions stored thereon that are further executable by the computerto: receive an interrupt from a Basic Input-Output System (“BIOS”) ofthe computer indicating a hot-pluggable device has been connected to orremoved from the computer; obtain device identifying data of thehot-pluggable device; compare the device identifying data to permissionsdata of authorized devices to determine what permissions are allowedwith regard to the hot-pluggable device; and implement the determinedpermissions.
 8. The computer-readable medium of claim 7, wherein aviolation of an implemented permission triggers a sending of a secondnotice over the network via the network interface device of the computerto the premises security system, the second notice including dataidentifying the permission violation.
 9. A method comprising:maintaining a list of devices coupled to a computer; determining if eachdevice in the list is communicatively coupled to the computer; and upondetermining a device in the list is not physically coupled to thecomputer, sending a notice over a network via a network interface deviceof the computer to a premises security system that the device is notcommunicatively coupled to the computer, the premises security systemcontrolling ingresses an egress from a premises within which thecomputer is located.
 10. The method of claim 9, wherein the noticeincludes data identifying one or more users of the computer, the noticeto cause the premises security system to prevent egress from thepremises of at least the one or more users of the computer.
 11. Themethod of claim 9, wherein the device is a data storage device and thenotice includes data identifying the data storage device.
 12. The methodof claim 9, wherein the method is performed by an out-of-band controllerof the computer when the computer is turned off.
 13. The method of claim9, wherein the list of devices coupled to the computer includes at leastone Peripheral Component Interface (“PCI”) device.
 14. The method ofclaim 9, wherein the list of devices coupled to the computer includes atleast one Universal Serial Bus (“USB”) device.
 15. The method of claim9, further comprising: receiving an interrupt from a Basic Input-OutputSystem (“BIOS”) of the computer indicating a hot-pluggable device hasbeen connected to or removed from the computer; obtaining deviceidentifying data of the hot-pluggable device; comparing the deviceidentifying data to permissions data of authorized devices to determinewhat permissions are allowed with regard to the hot-pluggable device;and implementing the determined permissions.
 16. The method of claim 15,wherein a violation of an implemented permission triggers a sending of asecond notice over the network via the network interface device of thecomputer to the premises security system, the second notice includingdata identifying the permission violation.
 17. A system comprising: abus; a network interface device coupled to the bus; a device coupled tothe system; a processor coupled to the bus and including an out-of-bandcontroller, wherein the out-of-band controller is operable when thesystem is turned off to: identify the device has been decoupled from thesystem; access a stored list of devices coupled to the system, thestored list including permissions data with regard to at least onedevice indicating the at least one device is not to be decoupled fromthe system; compare property data of the device decoupled from thesystem to the stored list of devices coupled to the system; upondetermining the device decoupled from the system is one of the at leastone devices that is not to be decoupled from the system, send a noticeover a network via the network interface device to a premises securitysystem indicating the device has been decoupled from the system, thepremises security system controlling ingresses an egress from a premiseswithin which the system is located.
 18. The system of claim 17, whereinthe notice includes data identifying one or more users of the system,the notice to cause the premises security system to prevent egress fromthe premises of at least the one or more users of the system.
 19. Thesystem of claim 17, wherein the device is a data storage device and thenotice includes data identifying the data storage device.
 20. The systemof claim 17, wherein the list of devices coupled to the computerincludes at least one of a Peripheral Component Interface (“PCI”) deviceand a Universal Serial Bus (“USB”) device.